Mazy Dar
As web technologies dominate the landscape, financial institutions are confronted with a crucial question: how can they upgrade their security game to fend off new threats?
- Financial institutions are facing new security challenges that require them to rethink their approach to safeguarding sensitive data and user information.
- While the rise of web technologies has brought significant benefits, increased interaction with external apps and content also introduces potential security vulnerabilities that cannot be ignored.
- Embracing a new security paradigm, inspired by industry leaders like Google, financial firms must prioritise regular upgrades and adopt a zero-trust model to protect against emerging threats and maintain a secure web environment.
To protect themselves in a world of web technologies, financial institutions must reimagine their approach to security.
Once upon a time, building secure software for the financial sector had a lot in common with building a castle: high walls and a wide moat were of the utmost importance. By isolating their technology from outside threats and performing only bespoke integrations with trusted third parties, financial institutions could avoid critical security vulnerabilities.
The rise of web technologies for application development has transformed this calculus. Financial institutions can realize numerous benefits from building with web technologies, from their versatility across platforms and devices to their reduced maintenance costs to their robust open-source communities. But there’s a flipside: this increased interaction with other apps and content creates new security challenges that financial institutions must recognize and account for.
For example, picture a development team relying on a given open-source library to increase productivity in building a new app. If the library contains any malicious code, that means the app will too. If undetected, the vulnerability will make its way onto the desktops of internal users and/or clients, putting sensitive information at risk and inviting severe financial and reputational loss. In this case, the same tools that fueled a better developer experience also created an additional point of security failure.
All this has left financial institutions at an inflection point. As industry standards for application development continue to evolve, firms must embrace security protocols that, rather than isolate them from all the innovations occurring in web environments, help them keep up with the pace of bug detection and reconciliation. Let’s explore how.
The new approach to web security
Chromium, the open-source codebase that powers Chrome, Microsoft Edge and several other web browsers, is a perfect example of what it means to prioritize web security in today’s dynamic environment. Financial institutions that fail to follow this model are opening themselves up to potentially severe consequences.
A new version of Chromium is released approximately every four weeks, with each one solving for an average of 20 Common Vulnerabilities and Exposures (CVEs); in the last year alone, the new versions have addressed 270 CVEs. These enhancements present tremendous security benefits, but many financial institutions, accustomed to lengthy deployment and upgrade cycles, do not consume them all – they upgrade at more of a yearly cadence. Do the math and you’re looking at a significant number of vulnerabilities left unaddressed for months at a time. Once the disclosure waiting period passes and the list of completed security upgrades for each month are published, hackers can use that knowledge to target firms that failed to adjust.
The importance of staying up to date has been magnified by changes in how security issues are disclosed. Project Zero – a team of security analysts focused on identifying zero-day vulnerabilities (the newest and most significant vulnerabilities) – is a good illustration. Project Zero performs vulnerability research on popular software like mobile operating systems, web browsers and open-source libraries. If Project Zero notifies a bank or technology vendor that its software is susceptible to a hack or exploit, the firm has a certain number of days (depending on the severity) to rectify the issue; once that period passes, the bug is made publicly visible. If the firm has addressed the vulnerability, all’s well that ends well, but if the firm failed to release a patch, it receives negative attention and its users are left vulnerable to hackers, who now have a blueprint to attack. In this way, watchdogs like Project Zero are providing financial institutions with a powerful incentive to rapidly respond to identified issues and take an active role in web security.
All of this reflects a new approach to ensuring web security. Security by obscurity, with firms retreating into their own silos and providers ignoring vulnerabilities that have yet to be discovered by hackers, is untenable. Instead, there is an assumption that every entity will leave no stone unturned on security – and that clear disclosures of the issues discovered, and the steps taken to address them makes the entire ecosystem stronger. This is much closer to a zero-trust model, in which all third-party code is assumed to be potentially malicious and steps to protect data and users are an absolute prerequisite.
Embrace efficiencies
To navigate this shifting security landscape, financial institutions must actively pursue new efficiencies. Even firms that are aware of the growing challenges will be hard-pressed to accommodate monthly upgrade cycles, let alone the emergency patches required when zero-day vulnerabilities are identified – unless, that is, they change their approach.
Chromium powers not only some of the world’s leading web browsers, but also leading desktop productivity platforms like OpenFin. We work tirelessly to remain co-stable with Chromium, so when Chromium is upgraded, our clients can realize the benefits – instantly. They’re assured that their data is protected, and they’re never left to scramble to resolve unforeseen issues. By outsourcing this crucial infrastructural work, financial institutions can focus on innovation and differentiation.
Adding additional security layers to the tech stack is another way that financial institutions can protect themselves. By running their software within an ecosystem of other trusted apps, firms can benefit from the openness of web technologies while retaining positive control over data sharing, access and the like. This is another priority made easier by collaborating with partners that have established industry footprints.
All of this may sound daunting, but it’s really a natural process. Web technologies have fueled vast advances in developer productivity, workflow efficiency and industry standards. Now it’s time for security protocols to advance in kind. Chromium’s tremendous investment in frequent security upgrades is making the entire industry safer, as well as providing firms a unique opportunity to do their part. Financial institutions would do well to think critically about their apps’ security and identify the best way forward – and then act on it.
OpenFin and LSEG
London Stock Exchange Group (LSEG) has selected OpenFin’s technology for its flagship LSEG Workspace platform. The partnership will leverage OpenFin’s secure zero-install delivery model and container technology to simplify distribution of LSEG’s next-generation data and analytics to customer desktops.
“We’re focused on openness, accessibility, and giving our customers flexibility to build the seamless experiences that help them enhance their productivity… OpenFin presents us a scalable way of meeting our customers at the location of their choice.” – Nej D’Jelal, LSEG and OpenFin: Igniting Innovation Webinar.
Legal Disclaimer
Republication or redistribution of LSE Group content is prohibited without our prior written consent.
The content of this publication is for informational purposes only and has no legal effect, does not form part of any contract, does not, and does not seek to constitute advice of any nature and no reliance should be placed upon statements contained herein. Whilst reasonable efforts have been taken to ensure that the contents of this publication are accurate and reliable, LSE Group does not guarantee that this document is free from errors or omissions; therefore, you may not rely upon the content of this document under any circumstances and you should seek your own independent legal, investment, tax and other advice. Neither We nor our affiliates shall be liable for any errors, inaccuracies or delays in the publication or any other content, or for any actions taken by you in reliance thereon.
Copyright © 2023 London Stock Exchange Group. All rights reserved.
The content of this publication is provided by London Stock Exchange Group plc, its applicable group undertakings and/or its affiliates or licensors (the “LSE Group” or “We”) exclusively.
Neither We nor our affiliates guarantee the accuracy of or endorse the views or opinions given by any third party content provider, advertiser, sponsor or other user. We may link to, reference, or promote websites, applications and/or services from third parties. You agree that We are not responsible for, and do not control such non-LSE Group websites, applications or services.
The content of this publication is for informational purposes only. All information and data contained in this publication is obtained by LSE Group from sources believed by it to be accurate and reliable. Because of the possibility of human and mechanical error as well as other factors, however, such information and data are provided "as is" without warranty of any kind. You understand and agree that this publication does not, and does not seek to, constitute advice of any nature. You may not rely upon the content of this document under any circumstances and should seek your own independent legal, tax or investment advice or opinion regarding the suitability, value or profitability of any particular security, portfolio or investment strategy. Neither We nor our affiliates shall be liable for any errors, inaccuracies or delays in the publication or any other content, or for any actions taken by you in reliance thereon. You expressly agree that your use of the publication and its content is at your sole risk.
To the fullest extent permitted by applicable law, LSE Group, expressly disclaims any representation or warranties, express or implied, including, without limitation, any representations or warranties of performance, merchantability, fitness for a particular purpose, accuracy, completeness, reliability and non-infringement. LSE Group, its subsidiaries, its affiliates and their respective shareholders, directors, officers employees, agents, advertisers, content providers and licensors (collectively referred to as the “LSE Group Parties”) disclaim all responsibility for any loss, liability or damage of any kind resulting from or related to access, use or the unavailability of the publication (or any part of it); and none of the LSE Group Parties will be liable (jointly or severally) to you for any direct, indirect, consequential, special, incidental, punitive or exemplary damages, howsoever arising, even if any member of the LSE Group Parties are advised in advance of the possibility of such damages or could have foreseen any such damages arising or resulting from the use of, or inability to use, the information contained in the publication. For the avoidance of doubt, the LSE Group Parties shall have no liability for any losses, claims, demands, actions, proceedings, damages, costs or expenses arising out of, or in any way connected with, the information contained in this document.
LSE Group is the owner of various intellectual property rights ("IPR”), including but not limited to, numerous trademarks that are used to identify, advertise, and promote LSE Group products, services and activities. Nothing contained herein should be construed as granting any licence or right to use any of the trademarks or any other LSE Group IPR for any purpose whatsoever without the written permission or applicable licence terms.